With early builds of Windows 8 leaking, increased attention has been focused on understanding a new 16 character string affixed to the end of the build watermark. Some have speculated the characters identify the original installer (Microsoft employee) while others have dismissed the importance altogether.
After installing the leaked Windows 8 7955 build, in plain sight are the characters a1b6210f837a32cf. Digging through shell32.dll, housing code to paint the desktop watermark, I found code that sources from HKLM\SYSTEM\WPA\478C035F-04BC-48C7-B324-2462D786DAD7-5P-9. More specifically, the Default value, comprising of 128 bytes, is read and run through a XOR-based function producing a 64-bit (8 byte) hash. I’ve included a rough translation of the algorithm (from assembly to C++) for review. (If this is an implementation of a well-known algorithm, I’d love to know.)
Read more: Within windows